nixos/services/authelia.nix

# services/authelia.nix — Native Authelia SSO with auto-migration from Docker
{ config, lib, pkgs, ... }:
let
  # Migrates secrets + user DB from the old Docker Authelia setup
  setupScript = pkgs.writeShellScript "authelia-setup" ''
    set -euo pipefail
    YQ="${pkgs.yq-go}/bin/yq"
    DOCKER_CONFIG="/home/fred/docker/authelia/configuration.yml"
    SECRETS_DIR="/var/secrets/authelia"
    STATE_DIR="/var/lib/authelia-main"

    mkdir -p "$SECRETS_DIR"
    mkdir -p "$STATE_DIR"

    # Migrate secrets from Docker config if they haven't been extracted yet
    if [ -f "$DOCKER_CONFIG" ]; then
      if [ ! -f "$SECRETS_DIR/jwt_secret" ]; then
        $YQ '.identity_validation.reset_password.jwt_secret' "$DOCKER_CONFIG" \
          | tr -d '"' > "$SECRETS_DIR/jwt_secret"
        echo "Migrated jwt_secret"
      fi
      if [ ! -f "$SECRETS_DIR/session_secret" ]; then
        $YQ '.session.secret' "$DOCKER_CONFIG" \
          | tr -d '"' > "$SECRETS_DIR/session_secret"
        echo "Migrated session_secret"
      fi
      if [ ! -f "$SECRETS_DIR/storage_encryption_key" ]; then
        $YQ '.storage.encryption_key' "$DOCKER_CONFIG" \
          | tr -d '"' > "$SECRETS_DIR/storage_encryption_key"
        echo "Migrated storage_encryption_key"
      fi
    fi

    chmod 644 "$SECRETS_DIR"/*

    # Migrate users database
    if [ ! -f "$STATE_DIR/users_database.yml" ] && \
       [ -f "/home/fred/docker/authelia/users_database.yml" ]; then
      cp /home/fred/docker/authelia/users_database.yml "$STATE_DIR/"
      chown authelia-main:authelia-main "$STATE_DIR/users_database.yml"
      echo "Migrated users_database.yml"
    fi

    echo "Authelia setup complete."
  '';
in
{
  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {

    services.authelia.instances.main = {
      enable = true;

      secrets = {
        jwtSecretFile = "/var/secrets/authelia/jwt_secret";
        storageEncryptionKeyFile = "/var/secrets/authelia/storage_encryption_key";
        sessionSecretFile = "/var/secrets/authelia/session_secret";
      };

      settings = {
        theme = "dark";
        server.address = "tcp://127.0.0.1:9091/";

        log = {
          level = "info";
          format = "text";
        };

        authentication_backend.file.path = "/var/lib/authelia-main/users_database.yml";

        access_control = {
          default_policy = "deny";
          rules = [
            { domain = "camera.nordhammer.it";   policy = "one_factor"; }
            { domain = "homepage.nordhammer.it"; policy = "one_factor"; }
            { domain = "7dtd.nordhammer.it";     policy = "one_factor"; }
            { domain = "adguard.nordhammer.it";  policy = "one_factor"; }
            { domain = "sonarr.nordhammer.it";   policy = "one_factor"; }
            { domain = "radarr.nordhammer.it";   policy = "one_factor"; }
            { domain = "bazarr.nordhammer.it";   policy = "one_factor"; }
            { domain = "prowlarr.nordhammer.it"; policy = "one_factor"; }
            { domain = "torrent.nordhammer.it";  policy = "one_factor"; }
            { domain = "profilarr.nordhammer.it"; policy = "one_factor"; }
          ];
        };

        session = {
          cookies = [{
            domain = "nordhammer.it";
            authelia_url = "https://auth.nordhammer.it";
          }];
          expiration = "1h";
          inactivity = "5m";
        };

        storage.local.path = "/var/lib/authelia-main/db.sqlite3";
        notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
      };
    };

    # Auto-migrate Docker Authelia data on first deploy
    systemd.services.authelia-setup = {
      description = "Migrate Authelia secrets and user database from Docker";
      before = [ "authelia-main.service" ];
      requiredBy = [ "authelia-main.service" ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStart = setupScript;
      };
    };
  };
}
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`# services/authelia.nix — Native Authelia SSO with auto-migration from Docker`
			`{ config, lib, pkgs, ... }:`
			`let`
			`# Migrates secrets + user DB from the old Docker Authelia setup`
			`setupScript = pkgs.writeShellScript "authelia-setup" ''`
			`set -euo pipefail`
			`YQ="${pkgs.yq-go}/bin/yq"`
			`DOCKER_CONFIG="/home/fred/docker/authelia/configuration.yml"`
			`SECRETS_DIR="/var/secrets/authelia"`
			`STATE_DIR="/var/lib/authelia-main"`

			`mkdir -p "$SECRETS_DIR"`
Fix authelia-setup: create state directory before migrating user database Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:58:51 +01:00			`mkdir -p "$STATE_DIR"`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00
			`# Migrate secrets from Docker config if they haven't been extracted yet`
			`if [ -f "$DOCKER_CONFIG" ]; then`
			`if [ ! -f "$SECRETS_DIR/jwt_secret" ]; then`
			`$YQ '.identity_validation.reset_password.jwt_secret' "$DOCKER_CONFIG" \`
			`\| tr -d '"' > "$SECRETS_DIR/jwt_secret"`
			`echo "Migrated jwt_secret"`
			`fi`
			`if [ ! -f "$SECRETS_DIR/session_secret" ]; then`
			`$YQ '.session.secret' "$DOCKER_CONFIG" \`
			`\| tr -d '"' > "$SECRETS_DIR/session_secret"`
			`echo "Migrated session_secret"`
			`fi`
			`if [ ! -f "$SECRETS_DIR/storage_encryption_key" ]; then`
			`$YQ '.storage.encryption_key' "$DOCKER_CONFIG" \`
			`\| tr -d '"' > "$SECRETS_DIR/storage_encryption_key"`
			`echo "Migrated storage_encryption_key"`
			`fi`
			`fi`

			`chmod 644 "$SECRETS_DIR"/*`

			`# Migrate users database`
			`if [ ! -f "$STATE_DIR/users_database.yml" ] && \`
			`[ -f "/home/fred/docker/authelia/users_database.yml" ]; then`
			`cp /home/fred/docker/authelia/users_database.yml "$STATE_DIR/"`
			`chown authelia-main:authelia-main "$STATE_DIR/users_database.yml"`
			`echo "Migrated users_database.yml"`
			`fi`

			`echo "Authelia setup complete."`
			`'';`
			`in`
			`{`
			`config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {`

			`services.authelia.instances.main = {`
			`enable = true;`

			`secrets = {`
			`jwtSecretFile = "/var/secrets/authelia/jwt_secret";`
			`storageEncryptionKeyFile = "/var/secrets/authelia/storage_encryption_key";`
			`sessionSecretFile = "/var/secrets/authelia/session_secret";`
			`};`

			`settings = {`
			`theme = "dark";`
			`server.address = "tcp://127.0.0.1:9091/";`

			`log = {`
			`level = "info";`
			`format = "text";`
			`};`

			`authentication_backend.file.path = "/var/lib/authelia-main/users_database.yml";`

			`access_control = {`
			`default_policy = "deny";`
			`rules = [`
			`{ domain = "camera.nordhammer.it"; policy = "one_factor"; }`
Authorize 7dtd.nordhammer.it in Authelia ACL Without this rule the subdomain falls under default_policy=deny, which returns 403 instead of the 401 that nginx needs to redirect to the Authelia login page. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-18 23:23:48 +01:00			`{ domain = "homepage.nordhammer.it"; policy = "one_factor"; }`
			`{ domain = "7dtd.nordhammer.it"; policy = "one_factor"; }`
Wire AdGuard Home into Authelia SSO and Homepage dashboard - adguard.nordhammer.it now routes through Authelia forward auth (AdGuard Home itself has no login, so this becomes the single gate) - Added Authelia ACL rule for the subdomain so default_policy=deny returns 401 for redirect instead of 403 - Added AdGuard Home widget to Homepage under Infrastructure Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-22 14:15:57 +01:00			`{ domain = "adguard.nordhammer.it"; policy = "one_factor"; }`
Put Servarr + qBit + games + search behind Authelia Only Jellyfin and the Authelia portal itself stay unprotected externally (Jellyfin because it's streamed to remote clients; Authelia because it is the login gate). Everything else (sonarr, radarr, bazarr, prowlarr, torrent/qBittorrent, games, search) now goes through Authelia forward auth. Internal integrations (Homepage widgets, Prowlarr → Sonarr/Radarr, Bazarr → Sonarr/Radarr, transcode-hevc qBit queries) use 127.0.0.1:PORT directly, so they are unaffected. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 11:21:28 +01:00			`{ domain = "sonarr.nordhammer.it"; policy = "one_factor"; }`
			`{ domain = "radarr.nordhammer.it"; policy = "one_factor"; }`
			`{ domain = "bazarr.nordhammer.it"; policy = "one_factor"; }`
			`{ domain = "prowlarr.nordhammer.it"; policy = "one_factor"; }`
			`{ domain = "torrent.nordhammer.it"; policy = "one_factor"; }`
profilarr: swap recyclarr for Dictionarry's Profilarr Profilarr replaces the recyclarr/TRaSH-Guides flow with a stateful web service that owns *arr profiles end-to-end via its own UI. Runs as an oci-container on 127.0.0.1:6868, fronted by nginx at profilarr.nordhammer.it behind Authelia (one_factor). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-30 20:00:33 +01:00			`{ domain = "profilarr.nordhammer.it"; policy = "one_factor"; }`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`];`
			`};`

			`session = {`
			`cookies = [{`
			`domain = "nordhammer.it";`
			`authelia_url = "https://auth.nordhammer.it";`
			`}];`
			`expiration = "1h";`
			`inactivity = "5m";`
			`};`

			`storage.local.path = "/var/lib/authelia-main/db.sqlite3";`
			`notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";`
			`};`
			`};`

			`# Auto-migrate Docker Authelia data on first deploy`
			`systemd.services.authelia-setup = {`
			`description = "Migrate Authelia secrets and user database from Docker";`
			`before = [ "authelia-main.service" ];`
			`requiredBy = [ "authelia-main.service" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = true;`
			`ExecStart = setupScript;`
			`};`
			`};`
			`};`
			`}`